This has nothing to do with Web Services. The Java code implementing the Web Service should get the EJB references just as you would from a standalone class. When a method in your Web Service class is invoked, it needs to get an InitialContext reference to the EJB container. If security is required, you need to pass the correct user credentials when getting the InitialContext.